Twitter based malware attacks and the risk to business

Dana Tamir, Director of Security for Trusteer talks us through the new wave of security threats accessing data via Twitter. Dana Tamir explains that businesses have invested huge amounts of money into network security but have neglected user end points like social media where hackers and phishing emails use services like Twitter to breach company security and access sensitive data.

First of all give us the background on Trusteer?

Trusteer are known as crime prevention solution and we have been protecting on line banking customers, financial customer's transactions and securing those transactions and financial fraud and advanced malware. We have expanded our technology and now protect endpoint users from exploitation and user applications like Java, Flash, Adobe Acrobat and browser vulnerabilities that are exploited to download malware on those endpoints and associated data outside the field and today that is the way targeted attacks are started.

So there has been a lot of talk around the threats relating to user endpoints. You have identified a particular risk associated with Twitter. Tell us a little bit about how this was identified and where it has come from?

We are monitoring today 30 million endpoints around the world. We have seen in a few endpoints that malware which was previously known as financial malware was stealing the identification code off Twitter and using it with the API post malicious Tweets on behalf of the Twitter user and spreading them to all the users followers and the followers get the Tweets with a short URL which you can't tell if it is malicious or not so they click it and then they get infected with the malware itself. So the malware is spreading through these malicious twits to more and more users and through that it is really a new way to spear phish and allowing them to spread out and allowing the hackers to get a foothold on enterprise endpoints and then the network.

So, with all of the efforts that companies have put in to secure their networks actually they are using the social network as their route in to go and do damage elsewhere?

That is right and it's because enterprises have put so much into the perimeter of their defences that attackers are looking for the weakest point and the weakest point today is the vulnerable endpoint user web applications like Java, browser and web applications because they are all vulnerable and exploiting these vulnerabilities you can actually download malware on these endpoints, steal information and send it out to the attackers enabling them to address the attack.

So looking at it from the social network point of view are you finding that organisations of a certain type are being targeted or is it really across the board?

It is across the board but really what the attackers are looking for is to get a foothold and control of enterprise networks and there are few programmes able to stop it usually they target unknown vulnerabilities. Really exploit prevention technology is the only way to stop these types of attacks.

Is it just limited to Twitter or other social networks?

Absolutely not we have seen similar types of attack on Facebook and on other social networks and so definitely social media is used to spread malware throughout.

I know here on the Trusteer stand you have been giving demos today on how easy it is to post links on peoples Twitter feeds and giving some ideas on how companies can protect themselves. What are the sorts of solutions that you recommend to organisations who have experienced this or are worried about this in the future?

Most companies avoid control of data coming into the network and that is bound to fail because hackers are looking at blacklisting rules whether it is files or signatures for security the hackers just work around these rules and bypass them and right way to protect is by controlling the application execution and validating the execution of the legitimate applications. Which is what Trusteer do, we look at the action and then combine with the application state we validate the execution. To give you an example if you see a browser downloading a file how do you know if it is legitimate. The user saving a file from a browser that's fine but if it's a drive by download that is not want you want to happen. You can't tell if the file download is malicious or not unless you validate the state in which the download takes place. By looking at the application state looking at the memory and the internal processes. We can tell if this is a legitimate operation or malicious based on data we can literally decide if should allow the download to be executed or stop it from executing.

Have organisations realised this soon enough or is there a lack of awareness out there and how are you dealing with that moving forward?

Enterprises have tried to deal with this for a long time and every means they have tried has failed they have tried to educate users not to work on malicious links or suspicious links and that has failed users still click them and especially with the twitter attack you are using a short ural so the user has no way to know whether it is suspicious or not. We see users clicking suspicious links all the time so that has failed. We have tried to prevent these exploits and that has failed as well. It is just impossible to keep up on patch levels and all enterprise npoints but that has failed . We have tried to patch vulnerable applications to prevent these exploits but that has failed as well. It is just impossible to keep up on patch levels and all enterprise npoints. We have tried to detect the threat coming and try to stop it and that has failed so really the only way to stop these exploits and stop the user from getting infected by malicious websites is by ensuring that the application is secured correctly and legitimately and not exploited so that way zeroday protection is so important to enterprises these days.